Trusted Services Compromise

Commonly used to launch phishing attacks or hack other trusted domains

A domain, service or site with trusted reputation can become compromised and it’s used to launch phishing attacks or hack other trusted domains. By leveraging the trusted reputation of domains, including AWS, Azure,, and, cybercriminals have the opportunity to easily evade current detection technologies using domain reputation and blocklists like SEG, proxy, SASE, and endpoint security tools. Attackers are using shared services to get around domain reputation technologies with increased frequency. 


As more threat actors leverage trusted infrastructure and manipulate trusted brands, it’s becoming harder and harder to stop these phishing attacks and cybersecurity threats. Whether it’s from credential-stealing or legitimately purchased cloud services. Cybercriminals can employ phishing emails containing links to legitimate cloud providers – including AWS, Azure, Alibaba, and Google – hosting phishing sites. Regardless of how access to trust domains occurs, the consistent element in these attacks is the initial URL is legitimate to avoid detection. Once clicked, the URL is redirected to a phishing page hosted elsewhere.

How Cybercriminals Gain Access to Trusted Services and Domains

A popular tactic to gain access to trusted services is account takeover. Once a cybercriminal has access to Microsoft 365 credentials from one company, they can initiate attacks against other companies, and those targets will have a sense of trust.

Once the bad actor has access to Office 365 credentials, they will send emails to their targets using the trusted email and Microsoft One Drive or OneNote to deliver a P.O. or invoices from a trusted site. They might also choose to continue to steal more credentials for ransomware, data exfiltration, or malware injection at a later date.

What You Can Do to Protect Yourself

While it is important to train users on how to identify phishing and social engineering, training users to detect phishing attacks from trusted services can be difficult. While it’s possible to identify illegitimate websites and other ploys, it’s harder to identify legitimate websites that are used to mask the malicious URL. The best defense against these attacks is threat detection technology that can follow URL re-directs and examine each subsequent page’s contents rather than focusing singularly on the URL analysis or domain reputation analysis of only the initial page.


SlashNext sees through evasion tactics and detects previously unknown, zero-hour threats including, compromised websites and trusted hosting service, shortened links. multiple redirects and other types of obfuscation. SlashNext SEERTM technology is AI powered cloud detection and LiveScan can detects zero-hour phishing threats including those threats on domains, services or site with trusted reputation. 

SlashNext Blog | Trusted Services Compromise

Phishing Threats

Today, while man-in-the-middle (MiTM) attacks are still a big concern, the security endpoint has changed to the browser, creating a MiTB phishing threat that poses real danger.

Understand how cybercriminals gain access to legitimate hosted domains through account takeover. 


Just how prevalent are these phishing callbacks and C2 infections? In every client install we perform – 100 percent! – we see C2 infections and callbacks. Are you compromised?

In 2020 phishing exploded as the world faced a 100-year pandemic and many people moved to remote working and learning, which changed the phishing threat landscape forever. 

Try SlashNext Multi-Channel User Protection Risk-Free

Fast and easy cloud deployment in minutes.

6701 Koll Center Parkway, Suite 250
Pleasanton CA 94566


Privacy Policy

© All Rights Reserved, SlashNext, Inc.